Introducing LAVA

LAVA is an automated framework for Live Attack Visualization and Analysis.

Today, it is very complex and time consuming to analyze and confirm attacks on the endpoint. Most of the time, it can take days or even months by the time the attack gets identified. Confirmation and remediation of endpoint compromise is yet another painful process for the large enterprises. Below is the typical ‘data theft cycle’ in an enterprise that the adversary takes advantage of.

LAVA was built with the following goals in mind: provide visibility to the actual point of attack and *relevant* information in an actionable manner. We built up an engine that provides relational, temporal and functional {R,T,F} evidence as the attack occurs. Micro-virtualization technology provides unique advantages in analyzing advanced malware targeting endpoints.

Each threat vector, such as rendering a particular website or opening a particular document, is isolated at the hardware layer in its own container (micro-VM) isolated from the underlying system the local network and any other websites and documents open. Due to the use of hardware level virtualization technologies (VT and EPT) all CPU, memory, disk and network activity related to the threat vector passes through the microvisor, thereby providing it perfect visibility of the attack. Unlike traditional detection engines that run within the compromised system, micro-Virtualization uses VM introspection to provide “outside in” detection of even advanced threats such as bootkits.

Another advantage provided by micro-virtualization is the ability to analyze post exploitation behavior of an attack. Conventional detection technologies, such as anti-virus, have to stop an attack at the earliest possible stage to prevent infection of the system. Micro-virtualization provides the luxury of allowing an attack to execute safely – as it has already been isolated from the system. This provides view into the typical kill chain of the attack – exploit ->execute -> escalate-> persist -> propagate. This helps to dramatically reduce the attack response cycle for the enterprise.

The ultimate goal is to make the security ops more streamlined, automated and cost effective. Let’s take an example of a simple drive by download attack leveraging a Java exploit which then drops and executes the infamous Win7 x64 bootkit – Xpaj from a publicly available sample. There are already enough technical details available from the security community on this bootkit. Ref [1]. Xpaj was taken just as an example to illustrate one of the capabilities of VM introspection and taint analysis post exploitation; this can be reproduced with any other real world (root|boot)kits. This is how this attack plays out:

Internet Explorer 9 (latest SP) – Java JVM exploited (CVE-2012-4681) – execute XPAJ post exploitation. The malicious changes done post exploitation by Java gets tagged by the taint analysis graph inside the micro-VM and the java exploit initialization phase is highlighted as described in the graph. XPAJ (like many others of this category) tries to bypass PatchGuard on Windows 7 x64 by doing a MBR overwrite as its ASEP (Auto Start Extensibility Point). The microvisor intercepts this clearly unexpected event inside the micro-VM and provides several response actions like Auto Remediate, DENY or ALLOW which can be configured based on user defined policies. LAVA in this example highlights an ‘Immutable memory’ event that is a result of in-guest kernel page introspection. Below is a screenshot of a simplified attack trace generated by the LAVA taint analysis engine which at one instant can show that a malicious event occurred to the SOC analyst.

Since we’re in a micro-VM container which insures the system is protected, we can choose to allow the attack to fully play out and gather all the live forensics information like the changes to the Registry, various CPU Registers, File System, Network, Process, Memory, API invocations etc. and provide this to the SOC analyst for detailed investigation. All of this can be enabled via policies from our Bromium management console.

Full forensics information can be provided along with exported data along with the graph as an evidence for the SOC teams to update their enterprise security infrastructure and take remediation measures enterprise wide.